Document Title: =============== Simplephpscripts Simple CMS v2.1 - Remote SQL Injection Vulnerability
References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2303 Release Date: ============= 2021-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2303 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== The system could be used only in already existing websites to control their page sections and contents. Just paste a single line of code on your web page section and start controlling it through the admin area. Very simple installation - one step installation wizard. Option to include contents into web page sections through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders. (Copy of the Homepage: https://simplephpscripts.com/simple-cms-php ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the Simplephpscripts Simple CMS v2.1 web-application. Affected Product(s): ==================== Simplephpscripts Product: Simple CMS v2.1 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-03: Researcher Notification & Coordination (Security Researcher) 2021-09-04: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A remote sql-injection vulnerability has been discovered in the official creative zone web-application. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The sql-injection web vulnerability is located in the `newUser` and `editUser` function of the `users` module in the `admin.php` file. Remote attackers with privileged access to the panel are able to add users. If a user account already exists like for example the admin account, each add of the same name or email values results in a unfiltered mysql exception. The exception is not filtered and sanitized. Thus allows privileged attackers to inject and execute own sql commands on the affected database management system to compromise. The request method to inject is post and the attack vector is non-persistent. Exploitation of the sql injection vulnerability requires user interaction and a privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] newUser [+] editUser Vulnerable File(s): [+] admin.php?act=users Vulnerable Input(s): [+] Name [+] Username [+] Password Vulnerable Parameter(s): [+] name [+] username [+] password Affected Module(s): [+] Users (act=users) (Backend) Proof of Concept (PoC): ======================= The remote sql-injection web vulnerability can be exploited by remote attackers with privileged account and without user interaction. For security demonstration or to reproduce the sql injection vulnerability follow the provided information and steps below to continue. PoC: Example act=addUser&name=[ADD EXISITING DEFAULT VALUE!]&[email protected]&username=[ADD EXISITING DEFAULT VALUE!]&password=[ADD EXISITING DEFAULT VALUE!]&submit=Add User PoC: Exploitation act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&[email protected]&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=a-1'&submit=Add User --- PoC Session Logs (POST) --- https://simple-cms.localhost:8000/simplecms/admin.php Host: simple-cms.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser Content-Type: application/x-www-form-urlencoded Content-Length: 132 Origin: https://simple-cms.localhost:8000 Connection: keep-alive Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23 act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&[email protected]&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&submit=Add User - POST: HTTP/2.0 200 OK server: Apache content-length: 1224 content-type: text/html; charset=UTF-8 --- SQL Error Exception Logs --- Error: SELECT * FROM cms2_users WHERE username='a%20-1' Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%20-1'' at line 1 Solution - Fix & Patch: ======================= 1. Disallow sql-errors to be displayed in the frontend and backend. Disable to redisplay the broken or malicious query on client-side. 2. Use prepared statement to protect the sql query of the post method request 3. Restrict the post parameters by disallow the usage of special chars with single or double quotes 4. Setup a filter or validation class to deny broken or manipulated sql queries Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
